Incident Management and Response

 

This page includes references to a few sources on crisis management and response practices and related expertise. These might help in assessing one's options for establishing a CERT, CSIRT, or replicating and implementing practical advice in the process of doing that.  

 

Organization Title Year  Type Description

Global Forum on Cyber Expertise (GFCE) 

 

Capgemini

 Introduction to Tabletop Exercises (TTX)  2023 Guide

Cyber Incident Management and Critical Information Infrastructure Protection by GFCE 

 

A tabletop exercise is a simulation where personnel with roles and responsibilities in a particular Information Technology (IT) & Operational Technology (OT) plan and meet in various settings (e.g. breakout groups, virtually, etc).

 

Key benefits of conducting TTXs:

  • Team Building
  • Process Development and Refinement
  • Gap Analysis
  • Awareness
  • Technology Integration
  • Cooperation
  • Compliance with UN Norms for Responsible State Behaviour in Cyberspace

This first deliverable provides an introduction to what, who, how, and why TTXs are essential for improving cyber resilience as well as providing an array of scenarios. The following two deliverables that form the rest of the package provide more operational information on how to organize and execute a TTX so that organizations can benefit from TTXs effectively.

 

The Organization of American States (OAS)

Practical Guide for CSIRTs

2023

Guide

One of the best practices for establishing a national computer security incident response team (CSIRT) was developed by the Organization of American States

Foreign & Commonwealth Office and by Foreign Commonwealth and Development Office

Cyber-threat intelligence information sharing guide

 2021 Guide

The guide documents sharing cybercrime, cybersecurity, and cyber threat intelligence information in the financial sector by providing an overview of core principles, objectives, benefits, and best practices. 

 

The intended audience includes relevant leaders and practitioners in financial institutions, banking associations, national computer emergency response teams, government agencies, law enforcement, regulators, and other relevant private and public-sector organizations.

This document especially is addressed to:

  • CEO (Chief Executive Officer) Level
  • CISO (Chief Information Security Office) or delegate
  • Government (e.g. an agency if and/or applicable)
  • Incident Response Team / Incident analyst
  • Data Sharing Groups
  • Legal/compliance

Geneva Centre for Security Sector Governance 

by Milan Sekuloski 

 DCAF’s CSIRT Capacity Building Methodology: Lessons Learned from the Western Balkans 2021 Methodology This report aims to support the international efforts for effective CSIRT capacity-building. This paper and proposed methodology aim at supplementing the existing approaches and methodologies, and by presenting some of the cases it draws from, offers additional material to the international body of knowledge in cybersecurity capacity building. 

World Bank 

 

GFCE

 

by Melissa Hathaway and Francesca Spidalieri

 Integrating Cyber Capacity to the Digital Development Agenda 2021 Study  Promoting digital transformation has become a priority for sustainable development and why organizations like the United Nations, large donor organizations, and countries involved in development assistance are prioritizing digitization as one of the key enablers of inclusive and sustainable economic growth and development. Yet, rapid digital transformation – underpinned by affordable communications and cheap devices – has introduced new risks and vulnerabilities that cannot be ignored. Organizations and countries alike are becoming increasingly concerned about the misuse of digital technologies that might lead to critical infrastructure failures, financial destabilization, increased surveillance, human rights abuses, disinformation, data exploitation, and other negative impacts on public health and safety. 
The French National Cybersecurity Agency (ANSSI)

ORGANISING A CYBER CRISIS MANAGEMENT EXERCISE

 2021 Guide 

The purpose of this guide is to provide step-by-step support to organizations in setting up a cyber crisis management exercise that is credible and will serve as training, for both players and organizers. The organization of cyber crisis management exercises is fundamental. Carried out in partnership with the Club de la Continuité d’Activité (Business Continuity Club, CCA) and with the contribution of ENISA, this guide is the result of expertise developed at ANSSI over the years; and the combination of experience in cyber security and crisis management.

 

The purpose of this guide is to provide step-by-step support to organizations in setting up a cyber crisis management exercise that is credible and will serve as training, for both players and organizers. It offers a methodology based on the recognized standard of the guidelines for exercises (ISO 22398:2013). 

 

More specifically, this guide is for anyone who wishes to organize exercises at the decision-making level to train their organization’s crisis unit: the risk managers, those responsible for business continuity, exercises, or crisis management, those responsible for the security of information systems (SIS) or equivalent, etc. This guide is not intended to construct exercises that are purely technical, for instance, by providing a complete simulation of an information system (IS) using virtual machines (“cyber range”). 
European Union Institute for Security Studies INTERNATIONAL CYBER CAPACITY BUILDING: GLOBAL TRENDS AND SCENARIOS 2021 Report

International cyber capacity building (CCB) projects involve countries, companies, and organizations helping each other across borders to develop functioning and accountable institutions that respond effectively to cybercrime and to strengthen a country’s cyber resilience. These projects take many forms, such as advising government teams that respond to national cybersecurity incidents, helping countries design and run public awareness campaigns about staying safe online, and training police to investigate cybercrime. This report identifies four trends in cyber capacity building and extrapolates their development to explore four potential scenarios that can inform capacity builders’ strategic decision-making. 

  1. Trend 1: The field of cyber capacity building is growing.
  2. Trend 2: The gap between aspirations for coordination and its implementation is growing. 
  3. Trend 3: More communities of practice are using CCB to pursue distinct aims. 
  4. Trend 4. Cyber capacity building is gradually professionalizing. 
European Union Agency for Cybersecurity (ENISA)  Guide on How to Set up CSIRT and SOC 2020 Good Practice

This is result-driven guidance on establishing a computer security incident response team (CSIRT) or security operations center (SOC) and guidance on improvements for different types of CSIRTs and SOCs. This tool was developed as part of a project directed by the European Union Agency for Cybersecurity (ENISA) 

National Cyber Security Center, UK

Incident Management 

 2019 Guidance

As security measures evolve, so do the capabilities of the culprits. As a result, no security can ever be perfect. Incidents can and will happen, so it's important to be prepared for them.

The guidance by NCSC helps in planning, building, developing, and maintaining an effective cyber incident response capability. 
Geneva Centre for Security Sector Governance Cybersecurity Cybersecurity – DCAF’s Work on CERT Development 2019 Discussion Discussions about CERT development usually center on technical needs, such as hardware and software, or costly staff training. It is impossible to identify the most appropriate tools, however, without developing the strengths of the team to help it to better absorb new knowledge and adapt equipment to its needs. 

Thai Computer Emergency Response Team

 

Electronic Transactions Development Agency (ETDA) 

by Martijn van der Heide

 Establishing a CSIRT 2017 Handbook

With the ever-expanding Internet and the fact that more and more critical organizations require Internet access these days, stability and availability become ever more important. Critical Infrastructure (e.g., Financial Sector, Energy, Transport, or Government) rely more and more on the possibilities of citizens to access their services through the Internet. At the same time, they use the Internet more and more to provide services to each other. Primary processes of many organizations have become reliant on the availability of the Internet, too. 

 

The handbook is designed for organizations who wish to learn more about CSIRT teams and start one themselves. It describes both the process to establish a team and the various requirements. Examples are given where possible, to show how each step can be completed. The intended audience is management level, but the handbook can also directly be used by operational staff, as a reference guide. 

IEEE

 

Hewlett-Packard Laboratories

On Computer Security Incident Response Teams

 2014 Article CSIRTs have evolved from loosely organized groups of system administrators to highly trained organizations with diverse capabilities, relying on complex technology to track, analyze, manage, and remediate security incidents. For many organizations, the CSIRT is the front line of security defenses—where they determine if they’re being attacked and how to respond. CSIRTs are highly labor-intensive; it’s not unusual for the CSIRT of a large organization to consist of more than 50 people. Labor is the most expensive component, generally far exceeding the costs of the technology components. As a result, organizations are under tremendous pressure to optimize this precious resource. 

 

 

 

 

 

Tel Aviv University makes every effort to respect copyright. If you own copyright to the content contained
here and / or the use of such content is in your opinion infringing Contact the referral system >>
Tel Aviv University, P.O. Box 39040, Tel Aviv 6997801, Israel